Virtualization has redefined how IT ops (information technology operations) build and deliver assets in a virtualized environment, where virtual machines or virtual applications (apps) go online or offline, or change zones dynamically within minutes or hours. Traditional Vulnerability Assessment (VA) products which scan machines to report vulnerabilities have difficulties in a virtualized environment. A snapshot of a vulnerability assessment report of a system provided in the past becomes obsolete within hours or minutes as virtual machines or workloads change positions within a virtualized environment. Consequently, in virtualized environments, any risks, threat exposures or known vulnerabilities are constantly changing. A security operations team needs a strong and continuous prioritization system to track critical vulnerabilities and take actions as changes occur.
Vulnerability assessment products scan systems on demand and report a list of known vulnerabilities in the form of a CVSS (common vulnerability scoring system) score. With workloads constantly changing their positions, the same set of vulnerabilities changes the exploitability surface as well. The challenges presented include how to interpret hundreds of vulnerabilities reported by these VA products and how to identify specific vulnerabilities that truly represent a clear and present risk to security. The CVSS score (as either a Base CVSS score or a Temporal CVSS score) does not consider the environment-specific characteristics of the customer or the workload distribution and the threats that can exploit them based on the positioning of the workload. The CVSS Base or Temporal score only contains a CIA (confidentiality, integrity, availability) score and access vectors to derive the importance of the information, but is not sufficient in a dynamic environment such as in virtualization space. A CVSS score alone does not necessarily provide sufficient information for effective remediation prioritization.
It is within this context that the embodiments arise.